FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
salmas
Staff
Staff
Article Id 370508
Description This article describes the issue that occurs with local-in, Central-SNAT, DoS policies, etc, after upgrading FortiGates to versions 7.4.6 or 7.6.1.
Scope FortiOS v7.4.6+ and v7.6.1+.
Solution

Upgrading to v7.4.6 or v7.6.1, local-in, DoS,central-SNAT policies, etc, will be deleted or show empty values when the interface is part of an SD-WAN zone.

 

Refer to this Upgrade information : 

Policies that use an interface show missing or empty values after an upgrade

 

If local-in policy, DoS policy, interface policy, multicast policy, TTL policy, or central SNAT map used an interface in versions 7.4.5, 7.6.0 GA, or any previous GA version that was part of the SD-WAN zone, these policies will be deleted or show empty values after upgrading to version v7.4.6 or v7.6.1.

 

After upgrading to version 7.4.6 or 7.6.1 GA, users must manually recreate these policies and assign them to the appropriate SD-WAN zone.

The following error occurs if the SD-WAN zone interface is selected under the local in policy.

Error_1.png

An appropriate SD-WAN zone must be selected.

SAVE.png

 

Local-in policy configuration from CLI :

 

config firewall local-in-policy
    edit 1
        set intf "virtual-wan-link"  
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set service "IGMP"
        set schedule "always"
   next
end

 

There is one more issue where the SD-WAN zone is not visible to configure via the GUI for DoS policy, Multicast policy, and Central SNAT policy. Create those policies from the CLI where the SD-WAN zone will appear to configure.

 

DoS_Policy.png

From CLI :

 

DoS_Policy_CLI.png

 

This does not impact VIPs already configured with specific interfaces, which are part of the SD-WAN zones as well. VIPs will remain as it is after the upgrade.

Moreover, the same error will be observed when using an interface that is referenced in an interface zone. Use the interface zone instead of the individual interface.